This is a great thread and thanks for the ideas. One thing I noted is that often the token list is used for comparison to a group objectSID. This being the case, and that arrays are difficult to compare, I rewrote the udfs to produce strings and not arrays. This way you can simply do a single conversion, and compare the HEX strings instead of having to convert all the way to the standard SID format before comparison.

I've included the full script which uses the new "string" routines. This *should* run "As Is":